Hi, On 15/01/24 7:52 pm, Mohamed Abuelfotoh, Hazem wrote:
It looks like both 5.15.146 and 5.10.206 are impacted by this regression as they both have the
bad commit 33eae65c6f (smb: client: fix OOB in SMB2_query_info_init()). We tried to
apply the proposed fix eb3e28c1e89b ("smb3: Replace smb2pdu 1-element
arrays with flex-arrays”) but there are a lot of dependencies required to do the backport.
Is it possible to consider the simple fix that Paulo proposed as a solution for 5.10 and 5.15.
We were lucky with 5.4 as it doesn’t have the bad commit because of merge conflict reported
in https://lore.kernel.org/all/2023122857-doubling-crazed-27f4@gregkh/T/#m3aa009c332999268f71361237ace6ded9110f0d0
I think we are also seeing the same error on running xfstests with cifs. [root@vm xfstests-dev]# ./check -g quick -s smb3 TEST_DEV=//<SERVER_IP>/TEST is mounted but not a type cifs filesystem This is with 5.15.147 stable kernel.I started seeing this since 5.15.146 and on bisection it points to the same commit:
commit bfd18c0f570e ("smb: client: fix OOB in SMB2_query_info_init()"), reverting that commit fixed the issue and also when I applied the below diff provided in this thread, the tests run fine.
[root@vm xfstests-dev]# ./check -g quick -s smb3 cifs/001 SECTION -- smb3 FSTYP -- cifsPLATFORM -- Linux/x86_64 vm 5.15.147-master.el9.v5.x86_64 #1 SMP Mon Jan 15 22:39:33 PST 2024
MKFS_OPTIONS -- //<SERVER_IP>/SCRATCHMOUNT_OPTIONS -- -ousername=root,password=PASSWORD,noperm,mfsymlinks,actimeo=0 //<SERVER_IP>/SCRATCH /mnt/scratch
cifs/001 1s ... 1s generic/001 16s ... Thanks, Harshit
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index 05ff8a457a3d..aed5067661de 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -3556,7 +3556,7 @@ SMB2_query_info_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server, iov[0].iov_base = (char *)req; /* 1 for Buffer */ - iov[0].iov_len = len; + iov[0].iov_len = len - 1; return 0; } Hazem
